This Article 
 Bibliographic References 
 Add to: 
Conflicts in Policy-Based Distributed Systems Management
November/December 1999 (vol. 25 no. 6)
pp. 852-869

Abstract—Modern distributed systems contain a large number of objects and must be capable of evolving, without shutting down the complete system, to cater for changing requirements. There is a need for distributed, automated management agents whose behavior also has to dynamically change to reflect the evolution of the system being managed. Policies are a means of specifying and influencing management behavior within a distributed system, without coding the behavior into the manager agents. Our approach is aimed at specifying implementable policies, although policies may be initially specified at the organizational level (c.f. goals) and then refined to implementable actions. We are concerned with two types of policies. Authorization policies specify what activities a manager is permitted or forbidden to do to a set of target objects and are similar to security access-control policies. Obligation policies specify what activities a manager must or must not do to a set of target objects and essentially define the duties of a manager. Conflicts can arise in the set of policies. For example, an obligation policy may define an activity which is forbidden by a negative authorization policy; there may be two authorization policies which permit and forbid an activity or two policies permitting the same manager to sign checks and approve payments may conflict with an external principle of separation of duties. Conflicts may also arise during the refinement process between the high-level goals and the implementable policies. The system may have to cater for conflicts such as exceptions to normal authorization policies. This paper reviews policy conflicts, focusing on the problems of conflict detection and resolution. We discuss the various precedence relationships that can be established between policies in order to allow inconsistent policies to coexist within the system and present a conflict analysis tool which forms part of a role-based management framework. Software development and medical environments are used as example scenarios in the paper.

[1] H. Andreka, M. Ryan, and P.-Y. Schobbens, “Operators and Laws for Combining Preference Relations Extended Abstract,” Proc. Int'l Workshop Information Systems Correctness and Reusability (Selected Papers), R.J. Wieringa and R.B. Feenstra, eds., World Scientific, 1995.
[2] B. Biddle and E. Thomas, eds., Role Theory: Concepts and Research. New York: Robert E. Krieger Co., 1997.
[3] R.F. Bruynooghe et al., “PADM: Towards a Total Process Modelling System,” Software Process Modelling Technology, A. Finkelstein, J. Kramer, and B. Nuseibeh, eds., ch. 12, pp. 293-334, Sumerset, England: Research Studies Press, 1994.
[4] D. Clark and D. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” Proc. IEEE Symp. Security and Privacy, pp. 184-194, Apr. 1987.
[5] “DSOM'94” Proc. IEEE/IFIP Distributed Systems Operations and Management Workshop, Toulouse, France, 1994.
[6] A. Dardenne, A. van Lamsweerde, and S. Fickas, "Goal-Directed Requirements Acquisition," Science of Computer Programming, pp. 3-50, vol. 20, Apr. 1993.
[7] R. Darimont et al., “GRAIL/KAOS: An Environment for Goal-Driven Requirements Engineering,” Proc. 20th Int'l Conf. Software Eng. (ICSE'98), vol. 2, pp. 58-62, Kyoto, Japan, Apr. 1998.
[8] E. Dubois et al., “Agent-Oriented Requirements Engineering: A Case-Study Using the Albert Language,” Proc. Fourth Int'l Working Conf. Dynamic Modelling and Information Systems (DYNMOD'94), Noordwijkerhout,The Netherlands, Sept. 1994.
[9] P. Du Bois, E. Dubois, and J.-M. Zeippen, “On the Use of a Formal RE Language: The Generalized Railroad Crossing Problem,” Proc. Third Int'l Symp. Requirements Eng. (RE'97), Annapolis, Md., Jan. 1997.
[10] M. Feblowitz et al., “ACME/PRIME: Requirements Acquisition for Process-Driven Systems,” Proc. Eighth Int'l Workshop Software Specification and Design, pp. 36-45, Schloss Velen, Germany, Mar. 1996.
[11] I.R. Forman, “Raddle: An Informal Introduction,” Technical Report No. STP-182-85, Microelectronics and Computer Technology Corp. (MCC), Austin, Tex., Feb. 1986.
[12] I.R. Forman, “On the Design of Large, Distributed Systems,” Technical Report No. STP-098-86, Microelectronics and Computer Technology Corp. (MCC), Austin, Tex., Mar. 1986.
[13] S. Greenspan, J. Mylopoulus, and A. Borgida, "On Formal Requirements Modeling Languages: RML Revisited," Proc. ICSE 16: Int'l Conf. Software Eng.,Sorrento, Italy, May 1994.
[14] N. Griffeth and H. Velthuijsen, “Reasoning about Goals to Resolve Conflicts,” Proc. Int'l Conf. Intelligent Cooperative Information Systems, pp. 197–204, Los Alamitos, Calif., 1993.
[15] A.J.I. Jones and M. Sergot, “On the Characterization of Law and Computer Systems: The Normative Systems Perspective,” Deontic Logic in Computer Science, J.-J.Ch. Meyer and R.J. Wieringa, eds., John Wiley&Sons, 1993.
[16] G. Junkerman et al., ”MERLIN: Supporting Cooperation in Software Development through a Knowledge-Based Environment,” Software Process Modelling Technology, A. Finkelstein, J. Kramer, and B. Nuseibeh, eds., ch. 5, pp. 103-130, Somerset, England: Research Studies Press, 1994.
[17] A. Heydon et al., "Mirò: Visual Specification of Security," IEEE Trans. Software Eng., vol. 6, no. 10, Oct. 1990, pp. 1185-1197.
[18] T.P. Kehler and G.D. Clemenson, “An Application Development System for Expert Systems,” Systems and Software, vol. 3, no. 1, Jan. 1984.
[19] T. Koch, C. Krell, and B. Krämer, “Policy Definition Language for Automated Management of Distributed Systems,” Proc. Second Int'l Workshop Systems Management, June 1996.
[20] J.C. Kuntz, T.P. Kehler, and M.D. Williams, “Applications Development Using a Hybrid AI Development System,” The AI Magazine, vol. 5, no. 1, Fall 1984.
[21] S.E. Lander, Distributed Search and Conflict Management Among Reusable Heterogeneous Agents, PhD thesis, Univ. of Massachusetts, Feb. 1994.
[22] M. Larrondo-Petrie et al., “Security Policies in Object-Oriented Databases,” IFIP Database Security, III: Status and Prospects, NorthHolland: Elsevier Science, 1990.
[23] E. Lupu and M. Sloman, “Towards a Role-Based Framework for Distributed Systems Management,” J. Network and Systems Management, vol. 5, no. 1, pp. 5-30, Plenum Press, Mar. 1997.
[24] E. Lupu and M. Sloman, “A Policy-Based Role Object Model,” Proc. First Enterprise Distributed Object Computing Workshop (EDOC'97), pp. 36-47, Gold Coast, Australia, IEEE, Oct. 1997.
[25] E. Lupu, “A Role-Based Framework for Distributed Systems Management,” PhD dissertation, Imperial College, Dept. of Computing, London, July 1998.
[26] J. Magee and J. Moffett, eds. Special Issue of IEE/BCS/IOP Distributed Systems Engineering J., Services for Managing Distributed Systems, vol. 3, no. 2, June 1996.
[27] M. Mansouri-Samani, and M. Sloman, “GEM: A Generalised Event Monitoring Language for Distributed Systems,” IEE/BCS/IOP Distributed Systems Eng., vol. 4, no. 2, pp. 96-108, June 1997.
[28] D. Marriott and M. Sloman, “Management Policy Service for Distributed Systems,” Proc. Third IEEE Int'l Workshop Services in Distributed and Networked Environments (SDNE'96), pp. 2–9, Macau, 1996.
[29] D. Marriott and M. Sloman, “Implementation of a Management Agent for Interpreting Obligation Policy,” Proc. IEEE/IFIPDistributed Systems Operations and Management Workshop (DSOM'96), L'Aquila, Italy, Oct. 1996.
[30] D. Marriott, “Management Policy for Distributed Systems,.” PhD dissertation, Dept. of Computing, Imperial College, London, July 1997.
[31] J. Michael, “A Formal Process for Testing Consistency of Composed Security Policies,” PhD dissertation, George Mason Univ., Fairfax, Va., 1993.
[32] J. Michael, E. Sibley, and D. Littman, “Integration of Formal and Heuristic Reasoning as a Basis for Testing and Debugging Computer Security Policy,” Proc. New Security Paradigms Workshop, pp. 69-75. 1993.
[33] N.H. Minsky and A.D. Lockman, “Ensuring Integrity by Adding Obligations to Privileges,” Proc. Eighth Int'l Conf. Software Eng., pp. 92-102, London, Aug. 1985.
[34] N.H. Minsky et al., “Building Reconfiguration Primitives into the Law of a System,” Proc. Third IEEE Int'l Conf. Configurable Distributed Systems (ICCDS'96), pp. 89–97, Annapolis, Md. 1996.
[35] N.H. Minsky and P. Pal, “Law—Governed Regularities in Object Systems Part 2: A Concrete Implementation,” Theory and Practice of Object Systems (TAPOS), vol. 3, no. 2,John Wiley&Sons, 1997.
[36] J. Moffett et al., “The Policy Obstacle Course: A Framework for Policies Embedded within Distributed Computer Systems,” Technical Report, Schema/York/93/1, Dept of Computer Science, Univ. of York, UK, 1993.
[37] J. Moffett. and M. Sloman, “Policy Conflict Analysis in Distributed System Management,” J. Organizational Computing, vol. 4, no.1, pp. 1–22, Ablex Publishing, 1994.
[38] J. Mylopoulos, L. Chung, and B. Nixon, "Representing and Using Nonfunctional Requirements: A Process-Oriented Approach," IEEE Trans. Software Eng., pp. 483-497, vol. 18, June 1992.
[39] OMG, “The Common Object Request Broker: Architecture and Specification,” rev. 2, 1995.
[40] K.L. Ong and R.M. Lee, “A Logic Model for Maintaining Consistency of Bureaucratic Policies,” Proc. 26th Ann. Hawaii Int'l Conf. System Sciences, vol. III, pp. 503-512, 1993.
[41] OORam, “OORam Professional: A Method Guide for Real Time/Telecommunication System Development,” Numerica Task on AS, Oslo, Norway, Sept. 1996.
[42] H. Prakken, Logical Tools for Modelling Legal Argument, A Study of Defeasible Reasoning in Law. Dordrecht, The Netherlands: Kluwer Academic, 1997.
[43] G.L. Rein, B. Singh, and J. Knutson, ”The Grand Challenge: Building Evolutionary Technologies,” Proc. 26th Ann. Hawaii Int'l Conf. System Sciences, vol. 4, pp. 23-31, Information Systems: Collaboration Technology and Organizational Systems&Technology Track, 1992.
[44] W.N. Robinson and S. Volkov, “A Meta-Model for Restructuring Stakeholder Requirements,” Proc. 19th Int'l Conf. Software Eng. (ICSE'97), pp. 140-160, Boston, May 1997.
[45] M. Ryan, “Defaults in Specifications,” Proc. IEEE Int'l Symp. Requirements Eng. (RE'93), A. Finkelstein, ed., pp. 142-149, San Diego, Calif., 1993.
[46] R.S. Sandhu et al., "Role-Based Access Control Models," Computer, Feb. 1996, pp. 38-47.
[47] E. Sibley, J. Michael, and R. Wexelblat, “Use of an Experimental Policy Workbench: Description and Preliminary Results,” Database Security V: Status and Prospects, C. Landwehr and S. Jajodia, eds., pp. 47-76, Elsevier Science, 1992.
[48] E. Sibley, ”Experiments in Organizational Policy Representation: Results to Date,” Proc. IEEE Int'l Conf. Systems Man and Cybernetics, pp. 337-342, Los Alamitos, Calif., 1993.
[49] E. Sibley, R.L. Wexelblat, J.B. Michael, M.C. Tanner, and D.C. Littman, “The Role of Policy in Requirements Definition,” IEEE Int'l Symp. Requirements Eng., Los Alamitos, Calif.: IEEE CS Press, pp. 277-280, 1993.
[50] B. Singh and G.L. Rein, “Role Interaction Nets (RINs): A Process Description Formalism,” Technical Report No. CT-083-92, Microelectronics and Computer Technology Corporation (MCC), Austin, Tex., July 1992.
[51] M. Sloman, “Policy Driven Management for Distributed Systems,” J. Network and Systems Management, vol. 2, no. 4, pp. 333–360, Plenum Press, 1994.
[52] M. Sloman and K. Twidle, ”Domains: A Framework for Structuring Management Policy,” Network and Distributed Systems Management, M. Sloman, ed., pp. 433–453, Addison-Wesley, 1994.
[53] G. Spanoudakis and P. Constantopoulos, “Integrating Specifications: A Similarity Reasoning Approach, Automated Software Eng., vol. 2, no. 4, pp. 311-342, Kluwer Academic, Dec. 1995.
[54] A. van Lamsweerde, R. Darimont, and P. Massonet, "Goal-Directed Elaboration of Requirements for a Meeting Scheduler: Problems and Lessons Learned," Proc. RE'95—Second Int'l Symp. on Requirements Eng.,York, IEEE, 1995.
[55] A. van Lamsweerde, R. Darimont, and E. Letier, "Managing Conflicts in Goal-Driven Requirements Engineering," IEEE Trans. Sofware. Eng., special issue on Inconsistency Management in Software Development, Nov. 1998.
[56] H. Velthuijsen,"Distributed Artificial Intelligence for Runtime Feature-Interaction Resolution," Computer, vol. 26, no. 8, Aug. 1993, pp. 48-55.
[57] N. Yialelis and M. Sloman, “A Security Framework Supporting Domain-Based Access Control in Distributed Systems,” Proc. IEEE ISOC Symp. Network and Distributed Systems Security, pp. 26-34, San Diego, Calif., Feb. 1996.
[58] E. Yu, P. Du Bois, E. Dubois, and J. Mylopoulos, “From Organizational Models to System Requirements: A 'Cooperative Agents' Approach,” Proc. Third Int'l Conf. Cooperative Information Systems (CoopIS-95), pp. 194-202, Vienna, Austria, May 1995.
[59] E. Yu, "Towards Modeling and Reasoning Support for Early-Phase Requirements Engineering," Proc. 3rd IEEE Int'l Symp. Requirements Eng. (ISRE), IEEE CS Press, Los Alamitos, Calif., 1997, pp. 226-235.

Index Terms:
Obligation policy, authorization policy, meta-policy, policy conflict, conflict resolution, management roles.
Emil C. Lupu, Morris Sloman, "Conflicts in Policy-Based Distributed Systems Management," IEEE Transactions on Software Engineering, vol. 25, no. 6, pp. 852-869, Nov.-Dec. 1999, doi:10.1109/32.824414
Usage of this product signifies your acceptance of the Terms of Use.